From 79035ab97cbc5351c890b5e065315bcd32e15af8 Mon Sep 17 00:00:00 2001
From: OpenSecureCo <74164997+OpenSecureCo@users.noreply.github.com>
Date: Mon, 10 May 2021 14:07:07 -0500
Subject: [PATCH] Create remove positive virustotal threats

---
 remove positive virustotal threats | 174 +++++++++++++++++++++++++++++
 1 file changed, 174 insertions(+)
 create mode 100644 remove positive virustotal threats

diff --git a/remove positive virustotal threats b/remove positive virustotal threats
new file mode 100644
index 0000000..cbeb2a4
--- /dev/null
+++ b/remove positive virustotal threats	
@@ -0,0 +1,174 @@
+Manager side
+Append the following decoder to /var/ossec/etc/decoders/local_decoder.xml
+
+
+<decoder name="ar_log_fields">
+    <parent>ar_log</parent>
+    <regex offset="after_parent">^(\S+) Removed positive threat located in (\S+)</regex>
+    <order>script_name, path</order>
+</decoder>
+
+
+Append the following rule to /var/ossec/etc/rules/local_rules.xml
+<group name="syscheck,virustotal,">
+  <rule id="100092" level="12">
+    <if_sid>607</if_sid>
+    <match>Removed positive</match>
+    <description>$(script_name) Removed positive threat located in $(path)</description>
+  </rule>
+</group>
+
+
+Place this custom-remove-threat script in /var/ossec/integrations
+
+
+#!/usr/bin/env python
+# Copyright (C) 2017 Wazuh Inc.
+# October 29, 2019.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+# Wazuh, Inc <support@wazuh.com>
+import json
+import sys
+import time
+import os
+from socket import socket, AF_UNIX, SOCK_DGRAM
+# ossec.conf configuration:
+#  <command>
+#    <name>remove-threat</name>
+#    <executable>remove-threat.sh</executable>
+#    <expect>filename</expect>
+#    <timeout_allowed>no</timeout_allowed>
+#  </command>
+#  <active-response>
+#   <disabled>no</disabled>
+#   <command>remove-threat</command>
+#   <location>local</location>
+# </active-response>
+#  <integration>
+#      <name>custom-remove-threat</name>
+#      <rule_id>87105</rule_id>
+#       <alert_format>json</alert_format>
+#  </integration>
+# Global vars
+debug_enabled = True
+pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+json_alert = {}
+now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
+# Set paths
+log_file = '{0}/logs/integrations.log'.format(pwd)
+socket_addr = '{0}/queue/alerts/ar'.format(pwd)
+def main(args):
+    debug("# Starting")
+    # Read args
+    alert_file_location = args[1]
+    debug("# File location")
+    debug(alert_file_location)
+    # Load alert. Parse JSON object.
+    with open(alert_file_location) as alert_file:    
+        json_alert = json.load(alert_file)
+    debug("# Processing alert")
+    debug(json_alert)
+    # Send event to AR socket
+    msg = "(msg_to_agent) [] NNS {0} remove-threat0 - {1}".format(json_alert["agent"]["id"], json_alert["data"]["virustotal"]["source"]["file"])
+    send_event(msg)
+def debug(msg):
+    if debug_enabled:
+        msg = "{0}: {1}\n".format(now, msg)
+        print(msg)
+        f = open(log_file,"a")
+        f.write(msg)
+        f.close()
+def send_event(msg):
+    sock = socket(AF_UNIX, SOCK_DGRAM)
+    sock.connect(socket_addr)
+    sock.send(msg.encode())
+    sock.close()
+if __name__ == "__main__":
+    try:
+        # Read arguments
+        bad_arguments = False
+        if len(sys.argv) >= 2:
+            alertfile=sys.argv[1]
+            msg = '{0} {1} {2} {3}'.format(now, sys.argv[1], sys.argv[2], sys.argv[3])
+        else:
+            msg = '{0} Wrong arguments'.format(now)
+            bad_arguments = True
+        # Logging the call
+        f = open(log_file, 'a')
+        f.write(msg +'\n')
+        f.close()
+        if bad_arguments:
+            debug("# Exiting: Bad arguments.")
+            sys.exit(0)
+        # Main function
+        main(sys.argv)
+    except Exception as e:
+        debug('Error:' + str(e))
+        raise
+        
+   
+Set permissions to the custom-remove-threat
+change ownership to root:ossec /var/ossec/integrations/custom-remove-threat
+chmod +x /var/ossec/integrations/custom-remove-threat
+
+
+Manager ossec.conf
+
+<command>
+    <name>remove-threat</name>
+    <executable>remove-threat.sh</executable>
+    <expect>filename</expect>
+    <timeout_allowed>no</timeout_allowed>
+</command>
+
+<active-response>
+    <disabled>no</disabled>
+    <command>remove-threat</command>
+    <location>local</location>
+</active-response>
+
+<integration>
+    <name>custom-remove-threat</name>
+    <rule_id>87105</rule_id>
+    <alert_format>json</alert_format>
+</integration>
+
+Systemctl restart wazuh-manager
+
+Agents side
+Place this remove-threat.sh script in /var/ossec/active-response/bin/
+
+#!/bin/bash
+
+# Checking user arguments
+if [ "x$1" == "xdelete" ]; then
+    exit 0;
+fi
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+
+PWD=`pwd`
+
+# Removing file
+rm -f $3
+if [ $? -eq 0 ]; then
+    echo "`date` $0 Removed positive threat located in $3" >> ${PWD}/../logs/active-responses.log
+else
+    echo "`date` $0 Error removing positive threat located in $3" >> ${PWD}/../logs/active-responses.log
+fi
+
+exit 0;
+
+
+Set permissions to the remove-threat.sh
+change ownership to root:ossec /var/ossec/active-response/bin/remove-threat.sh
+chmod +x /var/ossec/active-response/bin/remove-threat.sh
+
+
+Systemctl restart wazuh-agent